Posted on

Password Hygiene 2018

A year ago, I wrote a short list of rules or suggestions for choosing and managing passwords. I reread it today. The advice is still good, but the urgency has increased, if that is possible. The unfortunate fact is that the criminals have not let up. Law enforcement is still often stymied by cybercriminal assaults. Some assaults are from places where cybercrime laws are lax. When a crime is committed from out-of-state or out-of-country, an extradition is usually required, expenses that local law enforcement agencies often cannot afford. On top of all this, the criminals, both domestic and foreign, are getting better at their “art,” if you can call it that.

There is a bright side. The computing industry is taking security much more seriously in 2018 than they did ten years ago, even three years ago. The current arguments over election hacking, as disheartening as they are, have helped focus the spotlight on computer security. The industry has invested heavily in multi-factor and biometric authentication. Although I have reservations about biometric authentication, I’ve been using Windows 10 facial recognition authentication on my go-to tablet and I have found it convenient, although I still doubt that my device is well protected if I let it slip out of my hands. If I were a high-profile target with precious contents on my device, I would not rely on facial or fingerprint recognition to keep my contents safe.

The big news is the rise of multi-factor authentication, which I wrote about recently. Multi-factor authentication uses more than one kind of verification to authenticate the identity of a user. I will not equivocate: multi-factor authentication is always more secure than relying on a password alone. However, some forms of multi-factor are more secure than others. But multi-factor is always more trouble than simply entering a password or having your face scanned. If you are going to submit to the hassle, and I recommend you do submit when anything important is at stake, then why not choose the most secure alternative?

Verification via a token sent by email or a text message is substantially stronger than a password alone, but both email accounts and text messages are subject to hacking that is not that difficult. Use of an authentication application or a physical authentication key like Yubikey or Google Titan is much more difficult for hackers to circumvent. If I were a high-profile target, I would have a physical key.

Nevertheless, does multi-factor make good password hygiene obsolete? Absolutely not. An easily hacked password is an open door that makes the hacking life easier. And, unfortunately, some sites do not offer multi-factor authentication in any form, so password hygiene is still a necessity.

2018 password hygiene rules

  • Never use a password for more than one site or account. Some of the biggest security breaches in recent years were caused by password reuse.
  • To resist the temptation to reuse or to use easily crackable passwords, consider getting a password manager like LastPass to generate and manage long random passwords. Password managers are a single point of vulnerability. If your password manager is hacked, you are a slice of toast in a shower bath. However, a well-designed and maintained manager is much more secure than a badly managed set of weak passwords.
  • Longer passwords are better. The longer a password is, the harder it is to crack. A password 15 characters long is still hard to crack today. As computing hardware improves, longer passwords may be needed.
  • Mixing lower case and uppercase letters, numbers, and symbols like !@#$ make cracking harder, but not as much as increasing the length.
  • A long phrase is often strong and easy to remember, but common phrases, even common phrases obfuscated with tricks like replacing “s” with “$” or “o” (letter) with “0” (number), are relatively crackable. Skilled hackers know the tricks as well as you do. Start with a plain phrase that gets no hits on Google and go from there.
  • A long random sequence of mixed lower and upper case, numbers, and symbols is very hard to crack, but also hard to remember. A password manager mitigates this issue.

A final word

Quantum computing threatens to blow encrypted passwords away completely. In theory, a quantum computer could crack any password in milliseconds. This danger is theoretical and a few years in the future, but real. An outlying possibility is quantum encryption that thwarts quantum decryption, but I am aware of nothing real yet. However, because I recognize the quantum threat, I continue to explore biometric solutions and emphasize multi-factor.

A final final word

Avoid sites that are sloppy or predatory in design and management. These places are like dark alleys in a bad neighborhood. If you must deal with these sites, be sure that the benefits are worth the risk and watch yourself. If you can’t recognize cyber danger, stay away. If you are subject to hubris over cyber threats, find a secret hole and crawl in it. You are in danger.

Posted on

Two Factor Authentication

Two factor or multi-factor authentication makes computing more secure. You’ve probably seen it already and you will see more of it. I highly recommend it, with some caveats. I remain skeptical of biometric authentication. Facial, fingerprint, and retina recognition are all convenient, but they also have issues that are not ironed out yet. No matter how optimistic the sensor makers’ marketing, faces, prints, and retinas can’t be replaced when they are compromised, and there are reports of gruesome compromisations. Multi-factor authentication adds extra steps to authentication, but there is no question that additional factors increase security.

What is multi-factor authentication?

As the name suggests, multi-factor authentication requires the authenticity to be established in multiple ways. The user name and password authentication that has been used for decades uses a single piece of evidence to prove you are who you claim to be: knowledge of the correct password. Two-factor authentication adds another piece of evidence. The second piece of evidence could be a second password, but all passwords are vulnerable in the same ways, so it is better to use more than one kind of evidence.

Security specialists often talk about three types of evidence of authenticity: what you know, what you have, and what you are. A password is something you know that no one else does. A physical key is an object that only you have. Your fingerprints, your facial appearance, your retinal pattern, and your DNA are examples of something you are.

An example

Physical safes commonly use single factor authentication, sometimes multi-factor authentication. Most single factor safes have combination locks. To enter a single factor safe, you simply enter the correct sequence of numbers. If you write the sequence down, someone could find the paper; or someone could look over your shoulder and watch you dial the combination. Whoever finds the paper or watches you has access to the safe. Sneaking in is a challenge, but by no means impossible.

Bank vaults frequently have two combinations each known to a single bank officer. To open the vault, both officers must dial in their combination. One officer may be incautious or a fraudster, but the double combination prevents a single officer from getting in without a witness.

We have a safe in our home that requires both a combination and a key. I know the combination, but without the key, I can’t get in. If thieves were to successfully snatch the combination, they would still have to find the key. Often, even I can’t find the key, so they’ll have a job to get into our safe. In this way, our two-factor, key and combination safe is an annoyance, but more secure than a single-factor combination-only safe.

Multi-factor user authentication

Typical two-factor authentication uses a password and something else. One common method uses a text message sent to your phone containing a four to eight-character token. After correctly entering your password you must enter the token that is automatically sent to your phone when you enter the correct password. In other words, you must both know your password and have your phone to get into the account. Another variation is to email a token. In that case, you must both know your password and have access to your email account. These methods are harder for criminals to deal with than a simple password.

Flaws in message-based authentication

These methods are good, as long as access to your email account or phone is secure. However, email is just another account to secure, which would be better done with multi-factor authentication. To do that, you would have to have another secure email account. At a certain point, the complexity becomes unbearable.

Cellphone issues

The cellphone method also has problems with phone numbers and SIM cards. Phone numbers are assigned to SIM cards. Usually, when you buy a new phone, the you move your SIM card and your phone number, contacts, and other information moves with you. However, the service providers can reassign phone numbers to a new SIM, say when your phone is lost or destroyed, or you get a new phone that is not compatible with your old SIM.

The ever considerate and conciliating providers can easily transfer your phone number to a new SIM. They hesitate to hassle a customer too much when numbers are reassigned and they do not press a requesting customer for too much identification and verification, which means that criminals with a handful of information can get your phone number transferred to their own phone. To make matters worse, cell carrier employees are not guaranteed to be honest: they might be bribed or they may be criminals themselves. As a result, criminals have found it fairly easy to get phone numbers reassigned without the owner’s consent.

Once your phone number has been transferred, the criminal can use it to gain access to your accounts, change passwords, run up bills, and drain your bank.

The cellular providers have not been forthcoming on how often this happens, but anecdotal evidence says the practice is on the rise. There are a few things to do to protect yourself. If your provider offers a PIN for changes to your account, take it. Most important, when your number changes, you will get a notification on your phone and it will no longer work. Call your provider as quick as you can when you get a notice. Criminals can wreak havoc in minutes with a stolen phone number.

A stronger method

A better alternative is to use another authentication factor that does not depend on sending a token to you. This can take several forms, but they all involve a small application that runs on a device in your possession that produces tokens. When the application is set up, your authenticator and the application exchange information that syncs the application with the authenticator. One method provides tokens that change with the date and time. If you can’t supply the unique time-based token from the app that corresponds to your account, access is denied. Another implementation relies on a private key held on the device. An elegant implementation places the token generator in a USB device similar to a thumb drive. Plug the “key” in, authenticate, and the USB device supplies the correct token. These methods do not rely on communication after the initial setup. Neither WiFi or a cellular connection to the key device is necessary.

I noted with approval in this article in the Washington Post, that the federal government will soon require two-factor authentication for administrators of all government web sites. The method chosen by the feds is better than relying upon calling or messaging the phone. They are using Google Authenticator, which runs on an Android or Apple phone.

These methods are more secure, but not all multi-factor sites accept tokens from all authenticator apps, so you may not be able to use your choice on all accounts.

There’s a podcast on Lawfare explaining Google’s approach to advanced security that is informative.

Posted on

Fonts!

I have concluded that the world is divided between MS Comic Sans lovers and haters. I am currently among the haters, but I have been among the lovers at times.

Objectively, there is nothing wrong with Comic Sans. It’s clear, easy to read. It’s much better than anachronisms like Courier New, whose spindly lines are artifacts of manual typewriters that had to concentrate the impact of keys into narrow lines in order to make a clear mark on the paper. Although it radiates light-hearted casual, there is sophistication in the shaping of those rounded forms.

Most of the time, I prefer a serif font like Times New Roman. Those clever medieval scribes had something when they added those little flourishes. A serif font is a climbing wall with lots of hand and footholds, something for the eye to grab hold of as it makes its way down a line of text.

Comic Sans is too slick. My eye loses its place too easily. Not a big deal, but enough to make reading Comic Sans a chore to read rapidly.

Posted on

How Computers Work

I will be teaching a new class at the Ferndale Public Library on Saturday, September 22, 2-3pm. My grandson Christopher and I made ourselves available for an hour every two weeks to help people with their computing questions and problems last year, taking the summer off. We found out a lot about the kinds of difficulties folks have with computers.

As an engineer, I can’t work with anything unless I know how it works. Many people know how to use a computer, more or less, but they don’t know how it works—what’s happening inside those desktops, laptops, tablets, and phones. In the Saturday class, I’ll be talking about how it all works. When you understand how computers work, using them becomes easier for a lot of folks. Computers have tremendous power, and many limitations. Asking them to do things that are not possible or extremely difficult, causes frustration, and often, users don’t know what is easy and what is hard. In this class, I’ll try to lay the groundwork for understanding, rather than simply pushing the buttons on computers.

Putting the class together has been a challenge. I plan to explain digital computing in ways that I haven’t seen outside a few engineering classes. I hope the presentation will be clearer, easier to understand, and more revealing than anything I have read or seen for beginners. Christopher is a teenager who used computers from preschool, I wrote my first program in 1967. Between the two of us, we cover a lot of territory.

Christopher and I will also be back on every 1st and 3rd Wednesday at the Ferndale Public Library from 3p to 4p, starting Wednesday, September 5. Last year, we handled questions on email, setting up a Linux development environment, and folks who may have been hacked. We’re excited to see what will be bothering folks this year. We’re ready for anything… I hope.